I am trying to implement an IP range based allow/deny using Access control policy. Providing screenshot of the proxy debug screen showing my ip as the first one in X-FORWARDED_FOR. The same address is present in proxy.client.ip field also.
However, the policy is not denying access. Below is the implementation I have used.
Let me know if anyone can help @dchiesa1 @API-Evangelist
Thanks in advance
If you just experimenting its ok else start exploring kvm -https://cloud.google.com/apigee/docs/api-platform/reference/policies/access-control-policy#deny-using-variables
May be use ValidateBasedOn if it helps as I see multiple ip’s
When the X-Forwarded-For HTTP header contains multiple IP addresses, use this ValidateBasedOn element to control which IP addresses are evaluated.
==
Documentations in apigee are well written (Mostly) just need to go thru each attribute which will help. Good luck.
<AccessControl name="ACL">
<IPRules noRuleMatchAction = "ALLOW">
<MatchRule action = "DENY">
<SourceAddress mask="32">198.51.100.1</SourceAddress>
</MatchRule>
</IPRules>
</AccessControl>
<AccessControl name="ACL">
<IPRules noRuleMatchAction = "ALLOW">
<MatchRule action = "DENY">
<SourceAddress mask="32">198.51.100.1</SourceAddress>
</MatchRule>
</IPRules>
</AccessControl>
<AccessControl name="ACL">
<IPRules noRuleMatchAction = "ALLOW">
<MatchRule action = "DENY">
<SourceAddress mask="32">198.51.100.1</SourceAddress>
</MatchRule>
</IPRules>
</AccessControl>
It could be it’s validating based on the last ip of the X-Forwarded-For, please refer to https://docs.apigee.com/api-platform/reference/policies/access-control-policy#xforwardedfor
Try this option , it should work for your use case
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> Access Control-1 true 103.160.194.119 X_FORWARDED_FOR_FIRST_IPDid this solution work for you ?
Thanks
Mahtab